Dubbed “BlueBorne,” the attack vector enables malicious actors to leverage the short-range wireless protocol to take full control over targeted devices, access data and spread malware to other adjacent IoT devices.

“By spreading through the air, BlueBorne targets the weakest spot in the networks’ defense – and the only one that no security measure protects,” researchers said in a blog post. “Spreading from device to device through the air also makes BlueBorne highly infectious.”

BlueBorne is comprised of eight related vulnerabilities, four of which are classified as critical. The security holes were identified in the Bluetooth implementations in Android, Microsoft, Linux and iOS:

“The BlueBorne attack vector has several stages. First, the attacker locates active Bluetooth connections around him or her. Devices can be identified even if they are not set to “discoverable” mode. Next, the attacker obtains the device’s MAC address, which is a unique identifier of that specific device. By probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly. The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective. At this stage the attacker can choose to create a Man-in-The-Middle attack and control the device’s communication, or take full control over the device and use it for a wide array of cybercriminal purposes.”

Nonetheless, researchers worked closely with Google, Microsoft, Apple, Samsung and Linux to ensure a safe, secure and coordinated response to the vulnerabilities identified.

Lamar Bailey, director of security research and development at Tripwire, stressed that BlueBorne vulnerabilities are a good reason why IT security teams should treat Bluetooth like any open port. “[The best] mitigation is to turn it off, unless you must have it,” Bailey told Dark Reading. “Use wired devices when possible,” especially around sensitive data, he said.